Share via


Troubleshooting Certificate Validation Errors

Applies to: Exchange Server 2010

This topic explains how to resolve certificate validation errors or refers to documentation that may help you resolve the errors.

For more information about how the Microsoft Exchange Transport service selects certificates for Transport Layer Security (TLS), see the following topics:

Certificate Validation Errors or Status Messages

The certificate is valid but it is selfsigned.

This error is an informational status message. By default, the certificate that installed with Exchange Server 2010 is self-signed. It's generally a best practice to use certificates from trusted third-party certification authorities (CA).

For more information, see Using PKI on the Edge Transport Server for Domain Security.

Certificate subject does not match the passed value.

This status message indicates that the domain name in either the subject name or subject alternative name fields of the certificate does not match the fully qualified domain name (FQDN) of the sender or receiver domain name. To correct this error, a new certificate that matches the FQDN of the Send connector or Receive connector that tried to validate this certificate must be created.

For more information, see Understanding TLS Certificates

The signature of the certificate cannot be verified.

This status message indicates that the Microsoft Exchange Transport service was unable to validate the certificate chain, or that the public key that was used to validate the certificate signature is not the correct key.

A certificate chain processed, but ended in a root certificate which is not trusted by the trust provider.

This status message indicates that the certificate that was used for this operation is not trusted by the computer certificate store. To trust this certificate, the root certification authority for the given certificate must be present in the certificate store for this computer.

For more information about how to manually add certificates to the local certificate store, see the Help file for the Certificate Manager snap-in in the Microsoft Management Console (MMC).

The certificate is not valid for the requested usage.

This status message indicates that you must enable the certificate for use in the current application. For example, if you're trying to use this certificate for Domain Security, the certificate must be enabled for SMTP.

For more information about how to enable certificates, see Enable-ExchangeCertificate.

Alternatively, this status message may indicate that the certificate that you're using doesn't have the correct data in the Enhanced Key Usage field. All certificates that are used for TLS must contain a Server Authentication object identifier (also known as OID). If you're trying to use a certificate for TLS that doesn't contain a Server Authentication OID in the Enhanced Key Usage Field, you must create a new certificate.

For more information, see Understanding TLS Certificates.

A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

This status message indicates that the system time is incorrect, the certificate has expired, or the time of the system that signed the file is incorrect. Verify that the following conditions are true:

  • The local computer clock is accurate.
  • The certificate has not expired.
  • The sending system clock is accurate.

If the certificate has expired, you must generate a new certificate.

For more information, see Understanding TLS Certificates.

The validity periods of the certification chain do not nest correctly.

This status message indicates that the certificate chain is corrupted or otherwise unreliable. Generate a new certificate by using New-ExchangeCertificate cmdlet, or contact your certification authority to validate the certificate chain that was used for this certificate.

A certificate that can only be used as an end entity is being used as a CA or visa versa.

This status message indicates that the certificate is invalid because it was issued by an end-entity certificate and not a certification authority. An end-entity certificate is a certificate that has been created for specific application cryptographic usage. Generate a new certificate by using the New-ExchangeCertificate cmdlet, or contact your certification authority to validate the certificate.

The certificate or signature has been revoked.

Contact your certification authority to resolve this issue.

A certificate was explicitly revoked by its issuer.

Contact your certification authority to resolve this issue.

The revocation function was unable to check revocation because the revocation server was offline.

This status message indicates that the revocation server for the certificate could not be reached. In some cases, this is a temporary error because the revocation server is malfunctioning. Otherwise, make sure that this computer can access the revocation server. If there is a firewall or proxy server in between this computer and the revocation server, make sure that your computer is configured to traverse the obstacle.

For more information, see Using PKI on the Edge Transport Server for Domain Security.

The revocation process could not continue. The certificates could not be checked.

This status message indicates that the revocation process was interrupted by a general network failure. If there is a firewall or proxy server in between this computer and the revocation server, make sure that your computer is configured to traverse the obstacle.

For more information, see Using PKI on the Edge Transport Server for Domain Security.